From 76b97483d606ec0b11b31505c83de5b75b1f9f1b Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Nov 26 2013 12:45:01 +0000
Subject: * Tue Nov 26 2013 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.14

- Allow apmd to request the kernel load module
- Allow sssd to request the kernel loads modules
- label mate-keyring-daemon with gkeyringd_exec_t
- Allow procmail_t to connect to dovecot stream sockets
- Allow smoltclient to execute ldconfig
- Allow condor domains to read/write condor_master udp_socket
- sendmail can attempt to block suspend, but will complete successfully
- Add support for texlive2013
- Allow passwd_t to connect to gnome keyring to change password
- Should allow domains to lock the terminal device

---

diff --git a/policy-f19-base.patch b/policy-f19-base.patch
index 63c2e65..e6a2495 100644
--- a/policy-f19-base.patch
+++ b/policy-f19-base.patch
@@ -2575,7 +2575,7 @@ index 99e3903..7270808 100644
  
  ########################################
 diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
-index d555767..68f6887 100644
+index d555767..3053e39 100644
 --- a/policy/modules/admin/usermanage.te
 +++ b/policy/modules/admin/usermanage.te
 @@ -5,18 +5,18 @@ policy_module(usermanage, 1.18.1)
@@ -2857,7 +2857,7 @@ index d555767..68f6887 100644
  userdom_use_unpriv_users_fds(passwd_t)
  # make sure that getcon succeeds
  userdom_getattr_all_users(passwd_t)
-@@ -349,9 +389,16 @@ userdom_read_user_tmp_files(passwd_t)
+@@ -349,9 +389,17 @@ userdom_read_user_tmp_files(passwd_t)
  # user generally runs this from their home directory, so do not audit a search
  # on user home dir
  userdom_dontaudit_search_user_home_content(passwd_t)
@@ -2866,7 +2866,8 @@ index d555767..68f6887 100644
  optional_policy(`
 -	nscd_run(passwd_t, passwd_roles)
 +	gnome_exec_keyringd(passwd_t)
-+    gnome_manage_cache_home_dir(passwd_t)
++	gnome_manage_cache_home_dir(passwd_t)
++	gnome_stream_connect_gkeyringd(passwd_t)
 +')
 +
 +optional_policy(`
@@ -2875,7 +2876,7 @@ index d555767..68f6887 100644
  ')
  
  ########################################
-@@ -398,9 +445,10 @@ dev_read_urand(sysadm_passwd_t)
+@@ -398,9 +446,10 @@ dev_read_urand(sysadm_passwd_t)
  fs_getattr_xattr_fs(sysadm_passwd_t)
  fs_search_auto_mountpoints(sysadm_passwd_t)
  
@@ -2888,7 +2889,7 @@ index d555767..68f6887 100644
  auth_manage_shadow(sysadm_passwd_t)
  auth_relabel_shadow(sysadm_passwd_t)
  auth_etc_filetrans_shadow(sysadm_passwd_t)
-@@ -413,7 +461,6 @@ files_read_usr_files(sysadm_passwd_t)
+@@ -413,7 +462,6 @@ files_read_usr_files(sysadm_passwd_t)
  
  domain_use_interactive_fds(sysadm_passwd_t)
  
@@ -2896,7 +2897,7 @@ index d555767..68f6887 100644
  files_relabel_etc_files(sysadm_passwd_t)
  files_read_etc_runtime_files(sysadm_passwd_t)
  # for nscd lookups
-@@ -423,19 +470,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
+@@ -423,19 +471,17 @@ files_dontaudit_search_pids(sysadm_passwd_t)
  # correctly without it.  Do not audit write denials to utmp.
  init_dontaudit_rw_utmp(sysadm_passwd_t)
  
@@ -2918,7 +2919,7 @@ index d555767..68f6887 100644
  ')
  
  ########################################
-@@ -443,7 +488,8 @@ optional_policy(`
+@@ -443,7 +489,8 @@ optional_policy(`
  # Useradd local policy
  #
  
@@ -2928,7 +2929,7 @@ index d555767..68f6887 100644
  dontaudit useradd_t self:capability sys_tty_config;
  allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
  allow useradd_t self:process setfscreate;
-@@ -458,6 +504,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -458,6 +505,10 @@ allow useradd_t self:unix_stream_socket create_stream_socket_perms;
  allow useradd_t self:unix_dgram_socket sendto;
  allow useradd_t self:unix_stream_socket connectto;
  
@@ -2939,7 +2940,7 @@ index d555767..68f6887 100644
  # for getting the number of groups
  kernel_read_kernel_sysctls(useradd_t)
  
-@@ -465,36 +515,36 @@ corecmd_exec_shell(useradd_t)
+@@ -465,36 +516,36 @@ corecmd_exec_shell(useradd_t)
  # Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
  corecmd_exec_bin(useradd_t)
  
@@ -2988,7 +2989,7 @@ index d555767..68f6887 100644
  auth_manage_shadow(useradd_t)
  auth_relabel_shadow(useradd_t)
  auth_etc_filetrans_shadow(useradd_t)
-@@ -505,33 +555,36 @@ init_rw_utmp(useradd_t)
+@@ -505,33 +556,36 @@ init_rw_utmp(useradd_t)
  logging_send_audit_msgs(useradd_t)
  logging_send_syslog_msg(useradd_t)
  
@@ -3039,7 +3040,7 @@ index d555767..68f6887 100644
  optional_policy(`
  	apache_manage_all_user_content(useradd_t)
  ')
-@@ -542,7 +595,12 @@ optional_policy(`
+@@ -542,7 +596,12 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3053,7 +3054,7 @@ index d555767..68f6887 100644
  ')
  
  optional_policy(`
-@@ -550,6 +608,11 @@ optional_policy(`
+@@ -550,6 +609,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -3065,7 +3066,7 @@ index d555767..68f6887 100644
  	tunable_policy(`samba_domain_controller',`
  		samba_append_log(useradd_t)
  	')
-@@ -559,3 +622,12 @@ optional_policy(`
+@@ -559,3 +623,12 @@ optional_policy(`
  	rpm_use_fds(useradd_t)
  	rpm_rw_pipes(useradd_t)
  ')
@@ -43876,7 +43877,7 @@ index e79d545..101086d 100644
  ')
  
 diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
-index 6e91317..936a91d 100644
+index 6e91317..1dee6c7 100644
 --- a/policy/support/obj_perm_sets.spt
 +++ b/policy/support/obj_perm_sets.spt
 @@ -28,8 +28,7 @@ define(`devfile_class_set', `{ chr_file blk_file }')
@@ -43973,7 +43974,7 @@ index 6e91317..936a91d 100644
  # Use (read and write) terminals
  #
 -define(`rw_term_perms', `{ getattr open read write append ioctl }')
-+define(`rw_inherited_term_perms', `{ getattr read write append ioctl }')
++define(`rw_inherited_term_perms', `{ getattr lock read write append ioctl }')
 +define(`rw_term_perms', `{ rw_inherited_term_perms open }')
  
  #
diff --git a/policy-f19-contrib.patch b/policy-f19-contrib.patch
index dfef892..43a7584 100644
--- a/policy-f19-contrib.patch
+++ b/policy-f19-contrib.patch
@@ -7155,7 +7155,7 @@ index 1a7a97e..1d29dce 100644
  	domain_system_change_exemption($1)
  	role_transition $2 apmd_initrc_exec_t system_r;
 diff --git a/apm.te b/apm.te
-index 3590e2f..e1494bd 100644
+index 3590e2f..1d8a844 100644
 --- a/apm.te
 +++ b/apm.te
 @@ -35,6 +35,9 @@ files_type(apmd_var_lib_t)
@@ -7186,7 +7186,15 @@ index 3590e2f..e1494bd 100644
  allow apmd_t self:process { signal_perms getsession };
  allow apmd_t self:fifo_file rw_fifo_file_perms;
  allow apmd_t self:netlink_socket create_socket_perms;
-@@ -114,8 +117,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
+@@ -90,6 +93,7 @@ kernel_read_kernel_sysctls(apmd_t)
+ kernel_rw_all_sysctls(apmd_t)
+ kernel_read_system_state(apmd_t)
+ kernel_write_proc_files(apmd_t)
++kernel_request_load_module(apmd_t)
+ 
+ dev_read_input(apmd_t)
+ dev_read_mouse(apmd_t)
+@@ -114,8 +118,7 @@ fs_dontaudit_getattr_all_files(apmd_t)
  fs_dontaudit_getattr_all_symlinks(apmd_t)
  fs_dontaudit_getattr_all_pipes(apmd_t)
  fs_dontaudit_getattr_all_sockets(apmd_t)
@@ -7196,7 +7204,7 @@ index 3590e2f..e1494bd 100644
  
  corecmd_exec_all_executables(apmd_t)
  
-@@ -129,6 +131,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
+@@ -129,6 +132,8 @@ domain_dontaudit_list_all_domains_state(apmd_t)
  auth_use_nsswitch(apmd_t)
  
  init_domtrans_script(apmd_t)
@@ -7205,7 +7213,7 @@ index 3590e2f..e1494bd 100644
  
  libs_exec_ld_so(apmd_t)
  libs_exec_lib_files(apmd_t)
-@@ -136,17 +140,16 @@ libs_exec_lib_files(apmd_t)
+@@ -136,17 +141,16 @@ libs_exec_lib_files(apmd_t)
  logging_send_audit_msgs(apmd_t)
  logging_send_syslog_msg(apmd_t)
  
@@ -7225,7 +7233,7 @@ index 3590e2f..e1494bd 100644
  
  optional_policy(`
  	automount_domtrans(apmd_t)
-@@ -206,11 +209,15 @@ optional_policy(`
+@@ -206,11 +210,15 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -13378,7 +13386,7 @@ index 3fe3cb8..5fe84a6 100644
 +	')
  ')
 diff --git a/condor.te b/condor.te
-index 3f2b672..ff94f23 100644
+index 3f2b672..8fb887d 100644
 --- a/condor.te
 +++ b/condor.te
 @@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
@@ -13428,7 +13436,11 @@ index 3f2b672..ff94f23 100644
  logging_log_filetrans(condor_domain, condor_log_t, { dir file })
  
  manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
-@@ -86,13 +98,10 @@ allow condor_domain condor_master_t:tcp_socket getattr;
+@@ -83,16 +95,14 @@ files_pid_filetrans(condor_domain, condor_var_run_t, { dir file fifo_file })
+ 
+ allow condor_domain condor_master_t:process signull;
+ allow condor_domain condor_master_t:tcp_socket getattr;
++allow condor_domain condor_master_t:udp_socket { read write };
  
  kernel_read_kernel_sysctls(condor_domain)
  kernel_read_network_state(condor_domain)
@@ -13442,7 +13454,7 @@ index 3f2b672..ff94f23 100644
  corenet_tcp_sendrecv_generic_if(condor_domain)
  corenet_tcp_sendrecv_generic_node(condor_domain)
  
-@@ -106,9 +115,9 @@ dev_read_rand(condor_domain)
+@@ -106,9 +116,9 @@ dev_read_rand(condor_domain)
  dev_read_sysfs(condor_domain)
  dev_read_urand(condor_domain)
  
@@ -13454,7 +13466,7 @@ index 3f2b672..ff94f23 100644
  
  tunable_policy(`condor_tcp_network_connect',`
  	corenet_sendrecv_all_client_packets(condor_domain)
-@@ -125,7 +134,7 @@ optional_policy(`
+@@ -125,7 +135,7 @@ optional_policy(`
  # Master local policy
  #
  
@@ -13463,7 +13475,7 @@ index 3f2b672..ff94f23 100644
  
  allow condor_master_t condor_domain:process { sigkill signal };
  
-@@ -133,6 +142,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
+@@ -133,6 +143,10 @@ manage_dirs_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  manage_files_pattern(condor_master_t, condor_master_tmp_t, condor_master_tmp_t)
  files_tmp_filetrans(condor_master_t, condor_master_tmp_t, { file dir })
  
@@ -13474,7 +13486,7 @@ index 3f2b672..ff94f23 100644
  corenet_udp_sendrecv_generic_if(condor_master_t)
  corenet_udp_sendrecv_generic_node(condor_master_t)
  corenet_tcp_bind_generic_node(condor_master_t)
-@@ -152,6 +165,8 @@ domain_read_all_domains_state(condor_master_t)
+@@ -152,6 +166,8 @@ domain_read_all_domains_state(condor_master_t)
  
  auth_use_nsswitch(condor_master_t)
  
@@ -13483,7 +13495,7 @@ index 3f2b672..ff94f23 100644
  optional_policy(`
  	mta_send_mail(condor_master_t)
  	mta_read_config(condor_master_t)
-@@ -169,6 +184,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
+@@ -169,6 +185,8 @@ allow condor_collector_t condor_master_t:udp_socket rw_socket_perms;
  
  kernel_read_network_state(condor_collector_t)
  
@@ -13492,7 +13504,7 @@ index 3f2b672..ff94f23 100644
  #####################################
  #
  # Negotiator local policy
-@@ -178,6 +195,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
+@@ -178,6 +196,8 @@ allow condor_negotiator_t self:capability { setuid setgid };
  allow condor_negotiator_t condor_master_t:tcp_socket rw_stream_socket_perms;
  allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
@@ -13501,7 +13513,7 @@ index 3f2b672..ff94f23 100644
  ######################################
  #
  # Procd local policy
-@@ -185,7 +204,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
+@@ -185,7 +205,8 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
  
  allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
  
@@ -13511,7 +13523,7 @@ index 3f2b672..ff94f23 100644
  
  domain_read_all_domains_state(condor_procd_t)
  
-@@ -201,6 +221,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
+@@ -201,6 +222,8 @@ allow condor_schedd_t condor_master_t:udp_socket getattr;
  
  allow condor_schedd_t condor_var_lock_t:dir manage_file_perms;
  
@@ -13520,7 +13532,7 @@ index 3f2b672..ff94f23 100644
  domtrans_pattern(condor_schedd_t, condor_procd_exec_t, condor_procd_t)
  domtrans_pattern(condor_schedd_t, condor_startd_exec_t, condor_startd_t)
  
-@@ -209,6 +231,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
+@@ -209,6 +232,8 @@ manage_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  relabel_files_pattern(condor_schedd_t, condor_schedd_tmp_t, condor_schedd_tmp_t)
  files_tmp_filetrans(condor_schedd_t, condor_schedd_tmp_t, { file dir })
  
@@ -13529,7 +13541,7 @@ index 3f2b672..ff94f23 100644
  #####################################
  #
  # Startd local policy
-@@ -233,11 +257,10 @@ domain_read_all_domains_state(condor_startd_t)
+@@ -233,11 +258,10 @@ domain_read_all_domains_state(condor_startd_t)
  mcs_process_set_categories(condor_startd_t)
  
  init_domtrans_script(condor_startd_t)
@@ -13542,7 +13554,7 @@ index 3f2b672..ff94f23 100644
  optional_policy(`
  	ssh_basic_client_template(condor_startd, condor_startd_t, system_r)
  	ssh_domtrans(condor_startd_t)
-@@ -249,3 +272,7 @@ optional_policy(`
+@@ -249,3 +273,7 @@ optional_policy(`
  		kerberos_use(condor_startd_ssh_t)
  	')
  ')
@@ -25990,10 +26002,10 @@ index fd02acc..0000000
 -
 -miscfiles_read_localization(glusterd_t)
 diff --git a/gnome.fc b/gnome.fc
-index e39de43..5818f74 100644
+index e39de43..4c8113b 100644
 --- a/gnome.fc
 +++ b/gnome.fc
-@@ -1,15 +1,58 @@
+@@ -1,15 +1,59 @@
 -HOME_DIR/\.gconf(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gconfd(/.*)?	gen_context(system_u:object_r:gconf_home_t,s0)
 -HOME_DIR/\.gnome(/.*)?	gen_context(system_u:object_r:gnome_home_t,s0)
@@ -26051,14 +26063,15 @@ index e39de43..5818f74 100644
 +/usr/share/config(/.*)? 	gen_context(system_u:object_r:config_usr_t,s0)
 +
  /usr/bin/gnome-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
- 
--/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
--/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
++/usr/bin/mate-keyring-daemon	--	gen_context(system_u:object_r:gkeyringd_exec_t,s0)
++
 +# Don't use because toolchain is broken
 +#/usr/libexec/gconfd-2 --	gen_context(system_u:object_r:gconfd_exec_t,s0)
 +
 +/usr/libexec/gconf-defaults-mechanism	    	--      gen_context(system_u:object_r:gconfdefaultsm_exec_t,s0)
-+
+ 
+-/usr/lib/[^/]*/gconf/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
+-/usr/libexec/gconfd-2	--	gen_context(system_u:object_r:gconfd_exec_t,s0)
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/gnome.if b/gnome.if
@@ -39365,10 +39378,10 @@ index 0000000..b694afc
 +')
 +
 diff --git a/mozilla.fc b/mozilla.fc
-index 6ffaba2..d1f0fda 100644
+index 6ffaba2..99a6cf4 100644
 --- a/mozilla.fc
 +++ b/mozilla.fc
-@@ -1,38 +1,67 @@
+@@ -1,38 +1,68 @@
 -HOME_DIR/\.galeon(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla(/.*)?	gen_context(system_u:object_r:mozilla_home_t,s0)
 -HOME_DIR/\.mozilla/plugins(/.*)?	gen_context(system_u:object_r:mozilla_plugin_home_t,s0)
@@ -39410,6 +39423,7 @@ index 6ffaba2..d1f0fda 100644
 +HOME_DIR/\.quakelive(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.spicec(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.texlive2012(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
++HOME_DIR/\.texlive2013(/.*)?			gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.ICAClient(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/\.IBMERS(/.*)?          	gen_context(system_u:object_r:mozilla_home_t,s0)
 +HOME_DIR/zimbrauserdata(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
@@ -39470,7 +39484,7 @@ index 6ffaba2..d1f0fda 100644
 +/usr/lib/nspluginwrapper/plugin-config			--	gen_context(system_u:object_r:mozilla_plugin_config_exec_t,s0)
 +')
 diff --git a/mozilla.if b/mozilla.if
-index 6194b80..2ab36ff 100644
+index 6194b80..99effb5 100644
 --- a/mozilla.if
 +++ b/mozilla.if
 @@ -1,146 +1,75 @@
@@ -40160,7 +40174,7 @@ index 6194b80..2ab36ff 100644
  ## </summary>
  ## <param name="domain">
  ##	<summary>
-@@ -530,45 +498,54 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
+@@ -530,45 +498,55 @@ interface(`mozilla_plugin_delete_tmpfs_files',`
  ##	</summary>
  ## </param>
  #
@@ -40230,6 +40244,7 @@ index 6194b80..2ab36ff 100644
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".quakelive")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".spicec")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2012")
++	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".texlive2013")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".ICAClient")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, "zimbrauserdata")
 +	userdom_user_home_dir_filetrans($1, mozilla_home_t, dir, ".juniper_networks")
@@ -62013,7 +62028,7 @@ index 00edeab..166e9c3 100644
 +	read_files_pattern($1, procmail_home_t, procmail_home_t)
  ')
 diff --git a/procmail.te b/procmail.te
-index d447152..a911295 100644
+index d447152..73c437c 100644
 --- a/procmail.te
 +++ b/procmail.te
 @@ -1,4 +1,4 @@
@@ -62048,7 +62063,7 @@ index d447152..a911295 100644
  allow procmail_t procmail_log_t:dir setattr_dir_perms;
  create_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
  append_files_pattern(procmail_t, procmail_log_t, procmail_log_t)
-@@ -40,59 +44,76 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
+@@ -40,89 +44,106 @@ logging_log_filetrans(procmail_t, procmail_log_t, { file dir })
  allow procmail_t procmail_tmp_t:file manage_file_perms;
  files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
  
@@ -62152,7 +62167,8 @@ index d447152..a911295 100644
  ')
  
  optional_policy(`
-@@ -100,12 +121,7 @@ optional_policy(`
+-	cyrus_stream_connect(procmail_t)
++	dovecot_stream_connect(procmail_t)
  ')
  
  optional_policy(`
@@ -62162,18 +62178,20 @@ index d447152..a911295 100644
 -	mta_manage_mail_home_rw_content(procmail_t)
 -	mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
 -	mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
-+	gnome_manage_data(procmail_t)
++	cyrus_stream_connect(procmail_t)
  ')
  
  optional_policy(`
-@@ -113,16 +129,17 @@ optional_policy(`
+-	munin_dontaudit_search_lib(procmail_t)
++	gnome_manage_data(procmail_t)
  ')
  
  optional_policy(`
 -	nagios_search_spool(procmail_t)
--')
--
--optional_policy(`
++	munin_dontaudit_search_lib(procmail_t)
+ ')
+ 
+ optional_policy(`
 +	# for a bug in the postfix local program
  	postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
  	postfix_dontaudit_use_fds(procmail_t)
@@ -62189,7 +62207,7 @@ index d447152..a911295 100644
  ')
  
  optional_policy(`
-@@ -131,6 +148,8 @@ optional_policy(`
+@@ -131,6 +152,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -64392,10 +64410,10 @@ index 1148dce..86d25ea 100644
 +	allow $2 pwauth_t:process signal;
  ')
 diff --git a/pwauth.te b/pwauth.te
-index 3078e34..8f357cc 100644
+index 3078e34..215df88 100644
 --- a/pwauth.te
 +++ b/pwauth.te
-@@ -5,38 +5,35 @@ policy_module(pwauth, 1.0.0)
+@@ -5,26 +5,23 @@ policy_module(pwauth, 1.0.0)
  # Declarations
  #
  
@@ -64426,13 +64444,12 @@ index 3078e34..8f357cc 100644
  
  manage_files_pattern(pwauth_t, pwauth_var_run_t, pwauth_var_run_t)
  files_pid_filetrans(pwauth_t, pwauth_var_run_t, file)
+@@ -33,10 +30,10 @@ domain_use_interactive_fds(pwauth_t)
  
- domain_use_interactive_fds(pwauth_t)
- 
-+
  auth_domtrans_chkpwd(pwauth_t)
  auth_use_nsswitch(pwauth_t)
 +auth_read_shadow(pwauth_t)
++auth_rw_lastlog(pwauth_t)
  
  init_read_utmp(pwauth_t)
  
@@ -80155,7 +80172,7 @@ index 88e753f..133d993 100644
 +	admin_pattern($1, mail_spool_t)
  ')
 diff --git a/sendmail.te b/sendmail.te
-index 5f35d78..d4003d0 100644
+index 5f35d78..50651d2 100644
 --- a/sendmail.te
 +++ b/sendmail.te
 @@ -1,18 +1,10 @@
@@ -80178,7 +80195,7 @@ index 5f35d78..d4003d0 100644
  type sendmail_log_t;
  logging_log_file(sendmail_log_t)
  
-@@ -26,27 +18,26 @@ type sendmail_t;
+@@ -26,27 +18,27 @@ type sendmail_t;
  mta_sendmail_mailserver(sendmail_t)
  mta_mailserver_delivery(sendmail_t)
  mta_mailserver_sender(sendmail_t)
@@ -80199,6 +80216,7 @@ index 5f35d78..d4003d0 100644
 -allow sendmail_t self:capability { dac_override setuid setgid sys_nice chown sys_tty_config };
 +allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
 +dontaudit sendmail_t self:capability net_admin;
++dontaudit sendmail_t self:capability2 block_suspend;
  allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
  allow sendmail_t self:fifo_file rw_fifo_file_perms;
 -allow sendmail_t self:unix_stream_socket { accept listen };
@@ -80217,7 +80235,7 @@ index 5f35d78..d4003d0 100644
  logging_log_filetrans(sendmail_t, sendmail_log_t, { file dir })
  
  manage_dirs_pattern(sendmail_t, sendmail_tmp_t, sendmail_tmp_t)
-@@ -58,33 +49,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
+@@ -58,33 +50,21 @@ files_pid_filetrans(sendmail_t, sendmail_var_run_t, file)
  
  kernel_read_network_state(sendmail_t)
  kernel_read_kernel_sysctls(sendmail_t)
@@ -80255,7 +80273,7 @@ index 5f35d78..d4003d0 100644
  
  fs_getattr_all_fs(sendmail_t)
  fs_search_auto_mountpoints(sendmail_t)
-@@ -93,35 +72,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
+@@ -93,35 +73,49 @@ fs_rw_anon_inodefs_files(sendmail_t)
  term_dontaudit_use_console(sendmail_t)
  term_dontaudit_use_generic_ptys(sendmail_t)
  
@@ -80311,7 +80329,7 @@ index 5f35d78..d4003d0 100644
  ')
  
  optional_policy(`
-@@ -129,8 +122,8 @@ optional_policy(`
+@@ -129,8 +123,8 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -80322,7 +80340,7 @@ index 5f35d78..d4003d0 100644
  ')
  
  optional_policy(`
-@@ -158,6 +151,10 @@ optional_policy(`
+@@ -158,6 +152,10 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -80333,7 +80351,7 @@ index 5f35d78..d4003d0 100644
  	milter_stream_connect_all(sendmail_t)
  ')
  
-@@ -166,6 +163,11 @@ optional_policy(`
+@@ -166,6 +164,11 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -80345,7 +80363,7 @@ index 5f35d78..d4003d0 100644
  	postfix_domtrans_postdrop(sendmail_t)
  	postfix_domtrans_master(sendmail_t)
  	postfix_domtrans_postqueue(sendmail_t)
-@@ -187,21 +189,13 @@ optional_policy(`
+@@ -187,21 +190,13 @@ optional_policy(`
  ')
  
  optional_policy(`
@@ -81770,7 +81788,7 @@ index a8b1aaf..fc0a2be 100644
  
  	netutils_domtrans_ping(httpd_smokeping_cgi_script_t)
 diff --git a/smoltclient.te b/smoltclient.te
-index 9c8f9a5..14f15a4 100644
+index 9c8f9a5..f074b4d 100644
 --- a/smoltclient.te
 +++ b/smoltclient.te
 @@ -51,14 +51,12 @@ fs_list_auto_mountpoints(smoltclient_t)
@@ -81788,6 +81806,17 @@ index 9c8f9a5..14f15a4 100644
  
  optional_policy(`
  	abrt_stream_connect(smoltclient_t)
+@@ -77,6 +75,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++    libs_exec_ldconfig(smoltclient_t)
++')
++
++optional_policy(`
+ 	rpm_exec(smoltclient_t)
+ 	rpm_read_db(smoltclient_t)
+ ')
 diff --git a/smsd.fc b/smsd.fc
 new file mode 100644
 index 0000000..4c3fcec
@@ -84711,7 +84740,7 @@ index a240455..54c5c1f 100644
 -	admin_pattern($1, sssd_log_t)
  ')
 diff --git a/sssd.te b/sssd.te
-index 8b537aa..3bce4df 100644
+index 8b537aa..92ad8d0 100644
 --- a/sssd.te
 +++ b/sssd.te
 @@ -1,4 +1,4 @@
@@ -84754,9 +84783,11 @@ index 8b537aa..3bce4df 100644
  logging_log_filetrans(sssd_t, sssd_var_log_t, file)
  
  manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
-@@ -63,16 +64,9 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+@@ -62,17 +63,11 @@ files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
+ 
  kernel_read_network_state(sssd_t)
  kernel_read_system_state(sssd_t)
++kernel_request_load_module(sssd_t)
  
 -corenet_all_recvfrom_unlabeled(sssd_t)
 -corenet_all_recvfrom_netlabel(sssd_t)
@@ -84772,7 +84803,7 @@ index 8b537aa..3bce4df 100644
  
  corecmd_exec_bin(sssd_t)
  
-@@ -83,9 +77,7 @@ domain_read_all_domains_state(sssd_t)
+@@ -83,9 +78,7 @@ domain_read_all_domains_state(sssd_t)
  domain_obj_id_change_exemption(sssd_t)
  
  files_list_tmp(sssd_t)
@@ -84782,7 +84813,7 @@ index 8b537aa..3bce4df 100644
  files_list_var_lib(sssd_t)
  
  fs_list_inotifyfs(sssd_t)
-@@ -94,14 +86,15 @@ selinux_validate_context(sssd_t)
+@@ -94,14 +87,15 @@ selinux_validate_context(sssd_t)
  
  seutil_read_file_contexts(sssd_t)
  # sssd wants to write /etc/selinux/<policy>/logins/ for SELinux PAM module
@@ -84800,7 +84831,7 @@ index 8b537aa..3bce4df 100644
  auth_domtrans_chk_passwd(sssd_t)
  auth_domtrans_upd_passwd(sssd_t)
  auth_manage_cache(sssd_t)
-@@ -112,18 +105,32 @@ logging_send_syslog_msg(sssd_t)
+@@ -112,18 +106,32 @@ logging_send_syslog_msg(sssd_t)
  logging_send_audit_msgs(sssd_t)
  
  miscfiles_read_generic_certs(sssd_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 075ff93..c57ac6d 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.12.1
-Release: 74.13%{?dist}
+Release: 74.14%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -539,6 +539,18 @@ SELinux Reference policy mls base module.
 %endif
 
 %changelog
+* Tue Nov 26 2013 Lukas Vrabec <lvrabec@redhat.com> 3.12.1-74.14
+- Allow apmd to request the kernel load module
+- Allow sssd to request the kernel loads modules
+- label mate-keyring-daemon with gkeyringd_exec_t
+- Allow procmail_t to connect to dovecot stream sockets
+- Allow smoltclient to execute ldconfig
+- Allow condor domains to read/write condor_master udp_socket
+- sendmail can attempt to block suspend, but will complete successfully
+- Add support for texlive2013
+- Allow passwd_t to connect to gnome keyring to change password
+- Should allow domains to lock the terminal device
+
 * Mon Nov 11 2013 Miroslav Grepl <mgrepl@redhat.com> 3.12.1-74.13
 - Update xserver.te to make GDM working